Ransomware is probably the last thing you want to be thinking about, but it is a reality of today’s business world. The power of technology to transform business is more prevalent than it’s ever been. But being more dependent on that technology means that unfortunately, cybercriminals know that as well. Many organizations are used to writing checks where there are clear returns on investment, but it’s a little more difficult for IT teams to understand spending money to avoid loss. And so this type of cybersecurity protection is a little more difficult of a conversation to have with business leaders.
That’s why InterVision hosted the recent webinar, “How to Survive a Ransomware Attack.” In this blog, we dive into a few key takeaways from the event.
Building Your Strategy to Fit the Threat
InterVision’s Solutions Engineer for Resiliency, Ben Miller, started off the event with a summary of the threat landscape before digging into actionable steps organizations can take in protecting their business before a ransomware event occurs. He shared that businesses must, first and foremost, start treating ransomware as a real disaster, not a typical security event. This approach demands that investment and accountability come from the top of the organization rather than the IT department, since the protection of IP and critical information ultimately is a business decision.
Ransomware mitigation, if it is to be successful, takes extensive planning because recovery from that type of incident demands a similar recovery process and comprehensive testing ahead of an actual event as Disaster Recovery encourages. Ransomware affects data and infrastructure in ways that traditional IT approaches are now unable to ignore. The attack puts operations at risk, but also it locks data out of the hands of users, which places pressure on business livelihood and reputation.
Miller shares what he calls the 5 W’s of Resiliency for Ransomware:
- Who is going to execute recovery?
- What is being recovered?
- When is it being recovered? (RPO)
- Where is the data infected?
- Why are you recovering?
For the first W: Who is going to do the recovery if you’re dealing with a production outage environment? You got your IT staff working on restoring that environment. If you are in a ransomware situation, you have your IT staff and your security staff and everybody else involved trying to put out the fire and deal with that situation. So who is going to execute the recovery plan?
For the second W: A lot of things are important, but not everything is as urgent as needing to be recovered following a ransomware attack. So, understanding what is being recovered and the speed and scenarios on how they are being recovered is important.
For the third W: When is it being recovered? As soon as possible. But when the point in time is the point of this question. You must pre-build a solution that allows you to pick the appropriate point in time. A lot of solutions are designed around recovering to the latest replica or the latest copy or the last version of the stream. But we’re dealing with ransomware. Sometimes you need to roll back the clock much further than anticipated. It’s not a matter of just getting rid of the ransomware. It’s the fact that in some cases you need to provide evidence, forensics, security evaluation, etc. around the situation for cybersecurity. So even if you’ve got things under control, that production environment may not be available for you to do a full production restore to.
For the fourth W: When considering where you’ll recover to, keep in mind that ransomware is one of the scenarios you may have infrastructure failure, communication failure, and other types of failure. Knowing where you’ll send normal operations while the forensics team investigates is key to effective mitigation.
For the fifth W: Asking why you are recovering forces the business to discuss the varying types of disasters and the differing avenues of recovery for each as part of your strategy for ongoing business resiliency.
Best Practices for Preparing on the Preventative Side
In the middle portion of the webinar event, Mohammed Sabunchi, Storage Specialist at AWS, presented his knowledge on how the industry is viewing the threat of ransomware, and what steps businesses need to be taking to shore up their preventative practices.
He shared that, according to Gartner, about 75% of organizations are expected to face one or more one similar threats between now and 2025. Another interesting fact he shared was that ransomware attacks are occurring in 2021 every 11 seconds. There are two types of ransomware attacks or techniques: locker ransomware and crypto ransomware. Locker ransomware isolates end users from accessing data or accessing their data or their systems, whereas crypto ransomware is when hackers manage to encrypt the data and applications that then the end user is required to purchaser decryption keys in order to gain access back.
Sabunchi shared that there are three main categories that make organizations more vulnerable than others to ransomware attacks. The first one concerns technical aspects. When organizations depend on legacy systems that are not updated and patched on a timely basis, they are wide open for exploitation. The second category is all about having the awareness across the board. Employees are the first line of defense, so if they’re well trained and well equipped, they can be alerting against any incoming threats. The third category is the organization’s governance body not having a unified security strategy in place. When organizations have multiple regions and multiple departments, they must also have governance policies in place that address the needs and risks of each region and department.
The National Institute Standard of Technologies (NIST) Framework has became widely adopted across almost all all all sectors. It consists of five pillars which basically provide guidance controls and best practices on how to go about improving your business stance:
The fifth pillar is where ransomware has targeted as a weak point, and this is best addressed with a strong resiliency plan that includes both replication and backup technologies.
Using DRaaS, BaaS, and “the Trifecta”
Ben Miller took the last leg of the event, sharing how Disaster Recovery as a Service (DRaaS) and Backup as a Service (BaaS) tie together for true resiliency. DRaaS tends to emphasize speed of recovery, which can be useful for your unaffected datasets and systems following a ransomware event, whereas BaaS emphasizes the slower, careful retention of datasets, which is a must for precise attention to the affected assets following a ransomware attack.
Ransomware requires its own recovery time objective (RTO) which is separate from the RTOs you might have for other disaster scenarios such as hurricanes, floods, wildfires, power outages, and human error. That’s why InterVision works side by side clients in tailoring their recovery solution to the specific SLA needs of their businesses. Our proprietary program, Recovery Assurance, has a specific process that encourages ongoing maintenance and testing, which drives continual readiness for any event type.
Miller also called attention to what he called “the trifecta” of designing for the recovery of ransomware:
- Multi-Factor Authentication
- Air Gapping / Segmenting Environments and Datasets
- Immutable Backups
Multi-factor authentication ensures that the control plane and systems cannot be accessed without a second factor like your your cell phone or a key fob, so that scripts and compromised credentials can’t be used to infect additional data. Air gapping keeps segmentation between your datasets, so that groups of data are inaccessible from your production, and accounts are segmented to prevent compromised credentials from going far. Immutable backups are not able to be deleted after they have been copied. Miller emphasized that these three factors need to be built into every disaster recovery for ransomware design.
The event wrapped up with Miller sharing a real-life story of InterVision’s quick action to help a client recover from a ransomware event this past spring. You can read that case study here.
If you want to learn more about InterVision’s trusted approach to DRaaS and BaaS, which together emphasize ransomware recoverability, reach out to us here.